Menu Close

Where’d That Email Come From?

This is the sec­ond in a series of arti­cles on read­ing inter­net mes­sage head­ers. If you haven’t already done so, please read the first arti­cle, Read­ing Inter­net Mes­sage Head­ers.

This time we’re using a mes­sage I sent to myself from a hotmail.com account I set up for this pur­pose. None of the head­ers except the received: line will nor­mal­ly appear more than once in any message. 

Return-Path: <me@hotmail.com>
Received: from f51.hotmail.com (F51.hotmail.com
	[207.82.250.62]) by camel9.mindspring.com
	(8.8.5/8.8.5) with ESMTP id WAA29149
	for <cynthia@dev.null>;
	Thu, 11 Sep 1997 22:40:20 -0400 (EDT)
Received: (from root@localhost)
	by f51.hotmail.com (8.8.5/8.8.5) id TAA22003
	for cynthia@dev.null; Thu, 11 Sep 1997
	19:40:18 -0700 (PDT)
Message-Id: <199709120240.TAA22003@f51.hotmail.com>
Received: from 168.121.36.100 by www.hotmail.com with HTTP;
	Thu, 11 Sep 1997 19:40:18 PDT
X-Originating-IP: [168.121.36.100]
From: "Suzy Smith" <me@hotmail.com>
To: cynthia@dev.null
Subject: testing headers
Date: Thu, 11 Sep 1997 19:40:18 PDT
Restrict: no-external-archive
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
  • Return-Path: <me@hotmail.com>
    This field is like the reply-to: field in usenet head­ers, and like that field it is incred­i­bly easy to forge. You can gen­er­al­ly ignore it. It’s fre­quent­ly the address of some poor soul cho­sen at ran­dom by the spam­mer. Some­times it will be your address.
  • Received: from f51.hotmail.com (F51.hotmail.com [207.82.250.62]) by camel9.mindspring.com (8.8.5/8.8.5) with ESMTP id WAA29149 for <cynthia@dev.null>; Thu, 11 Sep 1997 22:40:20 ‑0400 (EDT)
    Received: (from root@localhost) by f51.hotmail.com (8.8.5/8.8.5) id TAA22003 for cynthia@dev.null; Thu, 11 Sep 1997 19:40:18 ‑0700 (PDT)
    Received: from 168.121.36.100 by www.hotmail.com with HTTP; Thu, 11 Sep 1997 19:40:18 PDT

    As in many mes­sages, there are two received: lines. Some­times forg­ers will delib­er­ate­ly insert mis­lead­ing received: lines to make it seem as though the email went through a sys­tem that is whol­ly unre­lat­ed to the ones through which it actu­al­ly trav­eled. Mes­sages can also be sent through mul­ti­ple servers to delib­er­ate­ly obscure their origins–it’s called “chain­ing” when you do it with anony­mous remail­ers. Each machine that gets the mes­sage adds one received: line.

    In any case, the first line says that a machine at hotmail.com with the IP address 207.82.250.62 passed this mes­sage to a machine at mindspring.com at 10:40 pm east­ern day­light time on 11 Sep­tem­ber 1997, and that it was addressed to cynthia@dev.null. Some­times the name of the send­ing machine will be faked, so if I had rea­son to doubt the ori­gin of the mes­sage I’d prob­a­bly dou­ble-check to see just what machine was real­ly 207.82.250.62. Don’t wor­ry about the (8.8.5/8.8.5) part, as (I believe) that’s just the ver­sion of Send­mail the receiv­ing com­put­er is using.

    The sec­ond line says that the mes­sage was received from root@localhost by a machine at hotmail.com addressed to cynthia@dev.null. The time is dif­fer­ent from the first because it’s on Pacif­ic Day­light time. Send­mail does­n’t ver­i­fy the sender on email, so root@localhost is just the name giv­en to that mail serv­er when the mes­sage was hand­ed to it. It could be any­thing from my real name to God to the IP address of my machine. Mind­Spring requires that a valid email address be used to send mail through their servers now, but they did­n’t always require that–and it could be any­body’s valid email address any­where, even abuse@mindspring.com because Send­mail does­n’t check.

    The third received line final­ly has some actu­al infor­ma­tion as to who cre­at­ed the mes­sage. It says that the machine www.hotmail.com received the email through HTTP (hyper­text trans­fer protocol–what the web uses) from 168.121.36.100. Now some­one could at least look and see that who­ev­er sent it was using Mind­Spring, as 168.121.36.100 is one of their IP address­es. It would take Mind­Spring exam­in­ing their serv­er logs, though, to know that I was the user logged in at that IP address at that time (Mind­Spring uses dynam­ic IP address­ing now). The “with HTTP” part is some­what unusu­al (well, to me, any­way) but makes sense because hotmail.com is a web-based email service.

    The time on the three received lines could be impor­tant if you’re try­ing to fig­ure out whether any of those lines is faked–sometimes the time in one of them is patent­ly ridiculous.

  • Mes­sage-Id: <199709120240.TAA22003@f51.hotmail.com>

    This one is the unique mes­sage ID that hotmail.com assigned to the mes­sage. With it they should be able to tell which user sent the mes­sage, even if I’d found a way to obscure my email address.

  • X‑O­rig­i­nat­ing-IP: [168.121.36.100]

    I’ve only seen this one from hotmail.com, too. That’s the IP address of the user who sent the email. It’s the same as the third received: line, but pro­vides a cross-check in case some­one had found a way to munge that line. With this or any oth­er IP address, if it isn’t a valid IP address for­mat you know it’s faked. IP address­es always have 4 sec­tions (like 0.0.0.0) and the dig­its in each place must be with­in the range 0 to 255. So 168.121.36.100 is valid, but 168.121.36.300 would­n’t be. I’ve nev­er seen this one faked, but that does­n’t mean that it can’t be faked.

  • From: “Suzy Smith” <me@hotmail.com>

    Fair­ly simple–the name I entered in the set­tings of my hotmail.com account, and my hotmail.com address. It isn’t easy to fake this one from a hotmail.com account after you’ve cre­at­ed the account–but it would be laugh­ably easy to fake it any­where else, or to sim­ply cre­ate the account with a fake name. As I said above, Send­mail does­n’t do any kind of ver­i­fi­ca­tion as to who is send­ing a mes­sage. Mind­Spring is the only place I’ve heard of that even requires a valid email address from the sender, and they don’t ver­i­fy as to whether it is real­ly the sender’s address. Hot­mail does­n’t both­er to ver­i­fy the iden­ti­ty of peo­ple who sign up for their free accounts, so I could have claimed to be Sarah Fer­gu­son and they’d be no wiser.

  • To: cynthia@dev.null

    The intend­ed recip­i­ent. It’s sim­ple here, but if there were mul­ti­ple recip­i­ents you’d see a list of names sep­a­rat­ed by com­mas. If the name here isn’t one of your email address­es and you won­der how you got the email, look for a line that says cc: with your email address. If it isn’t there, either, you were BCC’d on the message–a com­mon tac­tic of spam­mers. Some mail soft­ware does­n’t even check to see if the address in the to: field is valid–so you could put any­thing there and put the real recip­i­en­t’s name in the bcc: field. I’ve seen lots of spam with to: address­es like “all@aol.com” that are obvi­ous­ly faked.

  • Sub­ject: test­ing headers
    The sub­ject of the mes­sage as assigned by the sender.
  • Date: Thu, 11 Sep 1997 19:40:18 PDT

    The time the mail was sent, usu­al­ly from the sender’s machine (in this case, from Hot­mail’s time rather than my own–it’s Pacif­ic Day­light time again). I got an email from a friend a lit­tle while ago, and this line said he sent it at 20:26:49. The received: line said Mind­Spring’s servers got it at 20:31:25, so either his clock is slight­ly slow or there was a five-minute delay (he’s anoth­er Mind­Spring user, so a delay is unlikely).

  • Restrict: no-exter­nal-archive

    Actu­al­ly, this one and the next one weren’t in the head­ers of the email from Hot­Mail, but they are in many of the mes­sages I receive. Restrict: no-exter­nal-archive is an extra head­er that can be used to tell any­one archiv­ing, for instance, a mail­ing list in which you par­tic­i­pate that you do not want your mes­sages includ­ed in the archive. It’s much like the x‑no-archive: head­er for Usenet mes­sages. Again, it’s an hon­or system–the archiv­ing enti­ty might ignore this header.

  • X‑Mailer: QUALCOMM Win­dows Eudo­ra Pro Ver­sion 3.0.3 (32)

    This one tells you the soft­ware the sender used to send the mes­sage. Some­times it just isn’t in the head­ers at all. If, how­ev­er, I received an odd mes­sage from a friend who is a Mac user and noticed that it was sent by some­one using a Win­dows ver­sion of Eudo­ra Pro, I’d know it was a fake.

In the next arti­cle, we will briefly look at mes­sages sent through mail­ing lists. 

Orig­i­nal­ly pub­lished 10 Feb­ru­ary 2001. Last updat­ed 17 Feb­ru­ary 2019.

1 Comment

  1. Moses

    It’s hard to find knowl­edge­able peo­ple on this top­ic, but you sound like you know what you’re talk­ing about! Thanks

Comments are closed.